Hi, I would like to know if operators use GTSM techniques with BGP and other routing protocols today? Is any at the perimeter of the routing domain deployed? I would believe that GTSM can provide protection against attacks more than a hop away and thus can save against a lot of potential Dos attacks. Is anything done by the operators here? Thanks, John
On Thu, 17 Aug 2006, John Smith wrote:
I would like to know if operators use GTSM techniques with BGP and other routing protocols today? Is any at the perimeter of the routing domain deployed? I would believe that GTSM can provide protection against attacks more than a hop away and thus can save against a lot of potential Dos attacks.
Is anything done by the operators here?
We'd love to use it but unfortunately the J vendor doesn't support it very well even on T-series (if it supports it at all, not quite sure..). Enhancement Requests haven't gotten through, but maybe gripes on nanog will :-( -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Then is it fair to assume that operators are not using it? ----- Original Message ---- From: Pekka Savola <pekkas@netcore.fi> To: John Smith <jsmith4112003@yahoo.co.uk> Cc: nanog@merit.edu Sent: Friday, 18 August, 2006 2:15:31 AM Subject: Re: GTSM - Do you use it? On Thu, 17 Aug 2006, John Smith wrote:
I would like to know if operators use GTSM techniques with BGP and other routing protocols today? Is any at the perimeter of the routing domain deployed? I would believe that GTSM can provide protection against attacks more than a hop away and thus can save against a lot of potential Dos attacks.
Is anything done by the operators here?
We'd love to use it but unfortunately the J vendor doesn't support it very well even on T-series (if it supports it at all, not quite sure..). Enhancement Requests haven't gotten through, but maybe gripes on nanog will :-( -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
I don't think that's a fair assumption. A few providers I talked to for a security current practiced document I am writing said they were deploying it between BGP peers and I recently asked for more clarification from some individuals to ensure I had correct info with respect to vendors. There is some support in some J boxes and also support in C boxes. I didn't get specific detail how it was deployed, just that is was. - merike On Aug 17, 2006, at 4:48 PM, John Smith wrote:
Then is it fair to assume that operators are not using it?
----- Original Message ---- From: Pekka Savola <pekkas@netcore.fi> To: John Smith <jsmith4112003@yahoo.co.uk> Cc: nanog@merit.edu Sent: Friday, 18 August, 2006 2:15:31 AM Subject: Re: GTSM - Do you use it?
On Thu, 17 Aug 2006, John Smith wrote:
I would like to know if operators use GTSM techniques with BGP and other routing protocols today? Is any at the perimeter of the routing domain deployed? I would believe that GTSM can provide protection against attacks more than a hop away and thus can save against a lot of potential Dos attacks.
Is anything done by the operators here?
We'd love to use it but unfortunately the J vendor doesn't support it very well even on T-series (if it supports it at all, not quite sure..).
Enhancement Requests haven't gotten through, but maybe gripes on nanog will :-(
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
On Thu, Aug 17, 2006 at 05:14:57PM -0700, Merike Kaeo wrote:
I don't think that's a fair assumption. A few providers I talked to for a security current practiced document I am writing said they were deploying it between BGP peers and I recently asked for more clarification from some individuals to ensure I had correct info with respect to vendors. There is some support in some J boxes and also support in C boxes. I didn't get specific detail how it was deployed, just that is was.
Juniper only suports GTSM on Gibson-based architectues (which is T640, T320, M320, and M120 today). Cisco only supports GTSM in a meaningful way on IOS XR on CRS-1. All IOS based platforms still check MD5 before TTL, and only do TTL checks in software, making it worthless for anything other than deploying it on sessions today and maybe making it do something useful tomorrow. I think XR on GSR support is limited too, but nobody runs that in production anyways. :) And no, nobody seriously deploys GTSM today in any kind of scale. AFAIK no other vendors support it yet either, so requiring it on sessions is a non-starter. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
On 17 Aug 2006, at 21:45, Pekka Savola wrote: [...]
Enhancement Requests haven't gotten through, but maybe gripes on nanog will :-(
IME, griping about something on a mailing list, while typically getting you an email from a techie at the company concerned (especially if the gripe was ferocious enough to strip paint), rarely actually gets the problem fixed. It's not unreasonable, I guess. Decision makers aren't likely to be reading operational mailing lists with a low S/N ratio.
participants (5)
-
John Smith
-
Merike Kaeo
-
Pekka Savola
-
Peter Corlett
-
Richard A Steenbergen